Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.

User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (&lt; &gt; etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/accordion

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b2754%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e926f00d8d15 was submitted in the REST URL parameter 2. This input was echoed as b2754</title><script>alert(1)</script>926f00d8d15 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/addClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a598d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e78e80d742b6 was submitted in the REST URL parameter 2. This input was echoed as a598d</title><script>alert(1)</script>78e80d742b6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/animate

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 2dd49%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e80b730e6bf2 was submitted in the REST URL parameter 2. This input was echoed as 2dd49</title><script>alert(1)</script>80b730e6bf2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/autocomplete

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 37618%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3e803fc703c was submitted in the REST URL parameter 2. This input was echoed as 37618</title><script>alert(1)</script>3e803fc703c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/button

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 93fdc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e2e626eca3fe was submitted in the REST URL parameter 2. This input was echoed as 93fdc</title><script>alert(1)</script>2e626eca3fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/datepicker

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 396a5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253efa1066960be was submitted in the REST URL parameter 2. This input was echoed as 396a5</title><script>alert(1)</script>fa1066960be in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/dialog

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e3220%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e374ba0e42cd was submitted in the REST URL parameter 2. This input was echoed as e3220</title><script>alert(1)</script>374ba0e42cd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/draggable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 913fc%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea299844092b was submitted in the REST URL parameter 2. This input was echoed as 913fc</title><script>alert(1)</script>a299844092b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/droppable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a0098%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4c0df0c52f2 was submitted in the REST URL parameter 2. This input was echoed as a0098</title><script>alert(1)</script>4c0df0c52f2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/effect

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 7468d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec3e432863c5 was submitted in the REST URL parameter 2. This input was echoed as 7468d</title><script>alert(1)</script>c3e432863c5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/hide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e052a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93d47fc3cbb was submitted in the REST URL parameter 2. This input was echoed as e052a</title><script>alert(1)</script>93d47fc3cbb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/position

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b47ea%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ec08edf90c4c was submitted in the REST URL parameter 2. This input was echoed as b47ea</title><script>alert(1)</script>c08edf90c4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/progressbar

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 31403%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e47c6884e7ee was submitted in the REST URL parameter 2. This input was echoed as 31403</title><script>alert(1)</script>47c6884e7ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/removeClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a472b%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e4022b6ec612 was submitted in the REST URL parameter 2. This input was echoed as a472b</title><script>alert(1)</script>4022b6ec612 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/resizable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 15aa5%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e0374a379391 was submitted in the REST URL parameter 2. This input was echoed as 15aa5</title><script>alert(1)</script>0374a379391 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/selectable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e5947%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e7e4b0ed442f was submitted in the REST URL parameter 2. This input was echoed as e5947</title><script>alert(1)</script>7e4b0ed442f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/show

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload cf3be%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac7eb17e92 was submitted in the REST URL parameter 2. This input was echoed as cf3be</title><script>alert(1)</script>ac7eb17e92 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/slider

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 5c543%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed2e60ca751a was submitted in the REST URL parameter 2. This input was echoed as 5c543</title><script>alert(1)</script>d2e60ca751a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/sortable

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 48288%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eac67e82f056 was submitted in the REST URL parameter 2. This input was echoed as 48288</title><script>alert(1)</script>ac67e82f056 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/switchClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload dce5d%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e931194fbe14 was submitted in the REST URL parameter 2. This input was echoed as dce5d</title><script>alert(1)</script>931194fbe14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/tabs

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 74bf4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e66633b53404 was submitted in the REST URL parameter 2. This input was echoed as 74bf4</title><script>alert(1)</script>66633b53404 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/toggle

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload af4d2%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e33cc3da75a1 was submitted in the REST URL parameter 2. This input was echoed as af4d2</title><script>alert(1)</script>33cc3da75a1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/demos/toggleClass

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload a170a%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e93e94afd858 was submitted in the REST URL parameter 2. This input was echoed as a170a</title><script>alert(1)</script>93e94afd858 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Changelog

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload b95db</title><script>alert(1)</script>2018b300e22 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Changelog

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6be57</script><script>alert(1)</script>60168f40aba was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Developer_Guide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 58f62</title><script>alert(1)</script>bebe32d69ac was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Developer_Guide

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3fc30</script><script>alert(1)</script>a118870322d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Effects/Methods

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 1c2e3</title><script>alert(1)</script>2d0e0645d25 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Effects/Methods

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 763bb</script><script>alert(1)</script>c92f51aa55a was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Effects/Methods

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload df68a</title><script>alert(1)</script>cbd839e45c8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Effects/Methods

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 727f2</script><script>alert(1)</script>fb56f9f5163 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Getting_Started

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2c05c</script><script>alert(1)</script>f4216eaa9ea was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Getting_Started

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload ed1f2</title><script>alert(1)</script>4e14f46f97e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Git

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1b27</script><script>alert(1)</script>acb8bbcb22c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Git

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 325b5</title><script>alert(1)</script>2996e1b9954 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8ca81</script><script>alert(1)</script>174ea7c0154 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload e8b94</title><script>alert(1)</script>cf2988328a4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/API

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 4cda6</title><script>alert(1)</script>2f586665f1b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/API

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ceab9</script><script>alert(1)</script>49513c3cd2c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/API

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 91557</title><script>alert(1)</script>02c61d91876 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/API

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 54db8</script><script>alert(1)</script>9368d5de4a0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f6065</script><script>alert(1)</script>1b0f67c058 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 101b8</title><script>alert(1)</script>6252d69be12 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8461c</script><script>alert(1)</script>f779f290738 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/ThemeSwitcher

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 3d88e</title><script>alert(1)</script>b52ee0bbbb4 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82616</script><script>alert(1)</script>a7dc3dd4a3c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload 7efef</title><script>alert(1)</script>19810303b4b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2cce2</script><script>alert(1)</script>ff24c95c7da was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Theming/Themeroller

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as text between TITLE tags. The payload 7c80b</title><script>alert(1)</script>996164f01b7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Upgrade_Guide

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b3a55</script><script>alert(1)</script>a48fc76bd21 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/docs/Upgrade_Guide

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as text between TITLE tags. The payload acebc</title><script>alert(1)</script>d6cc8634230 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/download

Issue detail

The value of the themeParams request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 11a61"><script>alert(1)</script>a61e63b8ca1 was submitted in the themeParams parameter. This input was echoed as 11a61\"><script>alert(1)</script>a61e63b8ca1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b9ef1"><script>alert(1)</script>786f28ee864 was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 856ba"><script>alert(1)</script>7e0ede96139 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e46f4"><script>alert(1)</script>78f02d202ae was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83359"><script>alert(1)</script>3f46f89bf75 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bfa0a"><script>alert(1)</script>e0141161bf4 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload af7c6"><script>alert(1)</script>598ca42c4f5 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 47b6e"><script>alert(1)</script>26a180bd0fb was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d15a0"><script>alert(1)</script>217cbbbdb46 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 269fe"><script>alert(1)</script>439a3d5399f was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9dc2"><script>alert(1)</script>12595aecc6f was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 185a3"><script>alert(1)</script>34ca88f4fe4 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9f57"><script>alert(1)</script>5e1c6a7f15e was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b8b2"><script>alert(1)</script>00429556b7d was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 130b6"><script>alert(1)</script>0e302696b6e was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6928"><script>alert(1)</script>b2990def5f7 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9584"><script>alert(1)</script>091e2ef46ee was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be7a0"><script>alert(1)</script>49a1231156c was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8fbce"><script>alert(1)</script>c9c900eb451 was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a98d2"><script>alert(1)</script>3cb669f0c48 was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78c7e"><script>alert(1)</script>74dec3933ad was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e447d"><script>alert(1)</script>8562d8ecc01 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf048"><script>alert(1)</script>f93ea758174 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8be4a"><script>alert(1)</script>8fe8b3a7116 was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 76c48"><script>alert(1)</script>710e7345956 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd47"><script>alert(1)</script>5c6bd411a2e was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c68d8"><script>alert(1)</script>af61a3700a5 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the bgTextureShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1b58"><script>alert(1)</script>389286bb224 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab614"><script>alert(1)</script>ca0cfcb45f was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5530b"><script>alert(1)</script>d1cd2634cc was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4da56"><script>alert(1)</script>936f3c9192a was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de6e4"><script>alert(1)</script>0a9d3abb1a4 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8f98"><script>alert(1)</script>7af9b46dd90 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4e27"><script>alert(1)</script>99d680e85f8 was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ed482"><script>alert(1)</script>135f2cc6947 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9f44"><script>alert(1)</script>d3edcd87640 was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 329c0"><script>alert(1)</script>3b31ba1242c was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ce384"><script>alert(1)</script>8be2803e357 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4bb1d"><script>alert(1)</script>de8f868a8ad was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18b11"><script>alert(1)</script>a2e8a91da20 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9534a"><script>alert(1)</script>e23bebcd3cd was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ef18f"><script>alert(1)</script>cbc15d48ea3 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70142"><script>alert(1)</script>0a19df9f4d8 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8284"><script>alert(1)</script>59c021d2b9b was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69603"><script>alert(1)</script>617b0eaff01 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 80f4c"><script>alert(1)</script>634ec3d6ef was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the fwDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4a441"><script>alert(1)</script>e8b3746f1f8 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 14d79"><script>alert(1)</script>6fce8723dd7 was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3420"><script>alert(1)</script>b2a0d8950b9 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5febe"><script>alert(1)</script>977976b6be5 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8c777"><script>alert(1)</script>19a80c4851a was submitted in the iconColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 85187"><script>alert(1)</script>054e8a7d848 was submitted in the iconColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6b5a7"><script>alert(1)</script>e3691bf26a5 was submitted in the iconColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ab976"><script>alert(1)</script>e10766f4522 was submitted in the iconColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ee58"><script>alert(1)</script>e852cc5eefd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload be25f"><script>alert(1)</script>4bda565ed47 was submitted in the offsetLeftShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f4c6"><script>alert(1)</script>26630e994c5 was submitted in the offsetTopShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d0b37"><script>alert(1)</script>02d95f1f6f4 was submitted in the opacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa92d"><script>alert(1)</script>b767f439082 was submitted in the opacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7dee4"><script>alert(1)</script>e5fddab94a7 was submitted in the thicknessShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cae4d"><script>alert(1)</script>8380b7870fe was submitted in the bgColorActive parameter. This input was echoed as cae4d\\\"><script>alert(1)</script>8380b7870fe in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1b331"><script>alert(1)</script>9ad54eb0294 was submitted in the bgColorContent parameter. This input was echoed as 1b331\\\"><script>alert(1)</script>9ad54eb0294 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b5ef"><script>alert(1)</script>005c2396836 was submitted in the bgColorDefault parameter. This input was echoed as 3b5ef\\\"><script>alert(1)</script>005c2396836 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 744d6"><script>alert(1)</script>05da56c372e was submitted in the bgColorError parameter. This input was echoed as 744d6\\\"><script>alert(1)</script>05da56c372e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 27087"><script>alert(1)</script>4a1552b782e was submitted in the bgColorHeader parameter. This input was echoed as 27087\\\"><script>alert(1)</script>4a1552b782e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33847"><script>alert(1)</script>d02cc6d9f2e was submitted in the bgColorHighlight parameter. This input was echoed as 33847\\\"><script>alert(1)</script>d02cc6d9f2e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de2ea"><script>alert(1)</script>67e64d9d206 was submitted in the bgColorHover parameter. This input was echoed as de2ea\\\"><script>alert(1)</script>67e64d9d206 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 782ad"><script>alert(1)</script>acf6ffbe106 was submitted in the bgColorOverlay parameter. This input was echoed as 782ad\\\"><script>alert(1)</script>acf6ffbe106 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgColorShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1d32"><script>alert(1)</script>2deb2d37d2 was submitted in the bgColorShadow parameter. This input was echoed as e1d32\\\"><script>alert(1)</script>2deb2d37d2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ebd8c"><script>alert(1)</script>8dfbc90f084 was submitted in the bgImgOpacityActive parameter. This input was echoed as ebd8c\\\"><script>alert(1)</script>8dfbc90f084 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bffa6"><script>alert(1)</script>b6c8666acf9 was submitted in the bgImgOpacityContent parameter. This input was echoed as bffa6\\\"><script>alert(1)</script>b6c8666acf9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e16f9"><script>alert(1)</script>292b42bf4e0 was submitted in the bgImgOpacityDefault parameter. This input was echoed as e16f9\\\"><script>alert(1)</script>292b42bf4e0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f7c0"><script>alert(1)</script>cce24fe0f0 was submitted in the bgImgOpacityError parameter. This input was echoed as 8f7c0\\\"><script>alert(1)</script>cce24fe0f0 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10502"><script>alert(1)</script>7764413a2d6 was submitted in the bgImgOpacityHeader parameter. This input was echoed as 10502\\\"><script>alert(1)</script>7764413a2d6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0d13"><script>alert(1)</script>b6c76063701 was submitted in the bgImgOpacityHighlight parameter. This input was echoed as b0d13\\\"><script>alert(1)</script>b6c76063701 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 609e4"><script>alert(1)</script>daa0a1be744 was submitted in the bgImgOpacityHover parameter. This input was echoed as 609e4\\\"><script>alert(1)</script>daa0a1be744 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a26f7"><script>alert(1)</script>f7385104586 was submitted in the bgImgOpacityOverlay parameter. This input was echoed as a26f7\\\"><script>alert(1)</script>f7385104586 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ed46"><script>alert(1)</script>7837a54b6b5 was submitted in the bgImgOpacityShadow parameter. This input was echoed as 1ed46\\\"><script>alert(1)</script>7837a54b6b5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10d57"><script>alert(1)</script>c3ae1d14c80 was submitted in the borderColorActive parameter. This input was echoed as 10d57\\\"><script>alert(1)</script>c3ae1d14c80 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dc3fb"><script>alert(1)</script>251ce226b67 was submitted in the borderColorContent parameter. This input was echoed as dc3fb\\\"><script>alert(1)</script>251ce226b67 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 15983"><script>alert(1)</script>ee982da873b was submitted in the borderColorDefault parameter. This input was echoed as 15983\\\"><script>alert(1)</script>ee982da873b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 790f4"><script>alert(1)</script>345bd3673c8 was submitted in the borderColorError parameter. This input was echoed as 790f4\\\"><script>alert(1)</script>345bd3673c8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8f74c"><script>alert(1)</script>53cf914cae5 was submitted in the borderColorHeader parameter. This input was echoed as 8f74c\\\"><script>alert(1)</script>53cf914cae5 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2bd56"><script>alert(1)</script>2b342c2c976 was submitted in the borderColorHighlight parameter. This input was echoed as 2bd56\\\"><script>alert(1)</script>2b342c2c976 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the borderColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1fd51"><script>alert(1)</script>9aa54ecab94 was submitted in the borderColorHover parameter. This input was echoed as 1fd51\\\"><script>alert(1)</script>9aa54ecab94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the cornerRadius request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload affe9"><script>alert(1)</script>0f2a8359a6f was submitted in the cornerRadius parameter. This input was echoed as affe9\\\"><script>alert(1)</script>0f2a8359a6f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 23ad0"><script>alert(1)</script>df5e393dd08 was submitted in the cornerRadiusShadow parameter. This input was echoed as 23ad0\\\"><script>alert(1)</script>df5e393dd08 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 549cc"><script>alert(1)</script>a2548245a2c was submitted in the fcActive parameter. This input was echoed as 549cc\\\"><script>alert(1)</script>a2548245a2c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 39623"><script>alert(1)</script>19a538c79bc was submitted in the fcContent parameter. This input was echoed as 39623\\\"><script>alert(1)</script>19a538c79bc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3438"><script>alert(1)</script>5d8c48f277d was submitted in the fcDefault parameter. This input was echoed as e3438\\\"><script>alert(1)</script>5d8c48f277d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f4eb9"><script>alert(1)</script>c5c296af40f was submitted in the fcError parameter. This input was echoed as f4eb9\\\"><script>alert(1)</script>c5c296af40f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 930d9"><script>alert(1)</script>3137f1e3c01 was submitted in the fcHeader parameter. This input was echoed as 930d9\\\"><script>alert(1)</script>3137f1e3c01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d7f7f"><script>alert(1)</script>9fa6ce8b5b8 was submitted in the fcHighlight parameter. This input was echoed as d7f7f\\\"><script>alert(1)</script>9fa6ce8b5b8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fcHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c0ba1"><script>alert(1)</script>88118119e1e was submitted in the fcHover parameter. This input was echoed as c0ba1\\\"><script>alert(1)</script>88118119e1e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the ffDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3d332"><script>alert(1)</script>12a346ef725 was submitted in the ffDefault parameter. This input was echoed as 3d332\\\"><script>alert(1)</script>12a346ef725 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the fsDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f2bd"><script>alert(1)</script>3c85cbdd759 was submitted in the fsDefault parameter. This input was echoed as 1f2bd\\\"><script>alert(1)</script>3c85cbdd759 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorActive request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac817"><script>alert(1)</script>fb276a0769b was submitted in the iconColorActive parameter. This input was echoed as ac817\\\"><script>alert(1)</script>fb276a0769b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorContent request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 36cec"><script>alert(1)</script>eae2f93adaf was submitted in the iconColorContent parameter. This input was echoed as 36cec\\\"><script>alert(1)</script>eae2f93adaf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorDefault request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d6885"><script>alert(1)</script>77d23ead5ea was submitted in the iconColorDefault parameter. This input was echoed as d6885\\\"><script>alert(1)</script>77d23ead5ea in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorError request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e8f25"><script>alert(1)</script>302e12ef894 was submitted in the iconColorError parameter. This input was echoed as e8f25\\\"><script>alert(1)</script>302e12ef894 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHeader request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1861a"><script>alert(1)</script>6caea56c1bd was submitted in the iconColorHeader parameter. This input was echoed as 1861a\\\"><script>alert(1)</script>6caea56c1bd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHighlight request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c128"><script>alert(1)</script>4cb1584f29a was submitted in the iconColorHighlight parameter. This input was echoed as 4c128\\\"><script>alert(1)</script>4cb1584f29a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the iconColorHover request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b465"><script>alert(1)</script>c8a7d49819 was submitted in the iconColorHover parameter. This input was echoed as 3b465\\\"><script>alert(1)</script>c8a7d49819 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the offsetLeftShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 16d23"><script>alert(1)</script>365c925dcd6 was submitted in the offsetLeftShadow parameter. This input was echoed as 16d23\\\"><script>alert(1)</script>365c925dcd6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the offsetTopShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c043f"><script>alert(1)</script>91a84df35aa was submitted in the offsetTopShadow parameter. This input was echoed as c043f\\\"><script>alert(1)</script>91a84df35aa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the opacityOverlay request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 957bd"><script>alert(1)</script>c074e2c4424 was submitted in the opacityOverlay parameter. This input was echoed as 957bd\\\"><script>alert(1)</script>c074e2c4424 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the opacityShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 190db"><script>alert(1)</script>8cf468a5797 was submitted in the opacityShadow parameter. This input was echoed as 190db\\\"><script>alert(1)</script>8cf468a5797 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/_rollyourown.php

Issue detail

The value of the thicknessShadow request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b045"><script>alert(1)</script>d2f16d0fa46 was submitted in the thicknessShadow parameter. This input was echoed as 3b045\\\"><script>alert(1)</script>d2f16d0fa46 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorActive request parameter is copied into the HTML document as plain text between tags. The payload 57259<script>alert(1)</script>3ada87c4c0b was submitted in the bgColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorContent request parameter is copied into the HTML document as plain text between tags. The payload fc267<script>alert(1)</script>1db7ecb42d6 was submitted in the bgColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 80a55<script>alert(1)</script>99652122893 was submitted in the bgColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorError request parameter is copied into the HTML document as plain text between tags. The payload e3e18<script>alert(1)</script>4cf3cc26974 was submitted in the bgColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHeader request parameter is copied into the HTML document as plain text between tags. The payload 8cb93<script>alert(1)</script>2054306e127 was submitted in the bgColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload cb31c<script>alert(1)</script>f71316665e8 was submitted in the bgColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorHover request parameter is copied into the HTML document as plain text between tags. The payload 66e25<script>alert(1)</script>96f00a64c19 was submitted in the bgColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorOverlay request parameter is copied into the HTML document as plain text between tags. The payload 2887c<script>alert(1)</script>e26ef74f3f3 was submitted in the bgColorOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgColorShadow request parameter is copied into the HTML document as plain text between tags. The payload aa747<script>alert(1)</script>ae06a9ab634 was submitted in the bgColorShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityActive request parameter is copied into the HTML document as plain text between tags. The payload 63249<script>alert(1)</script>2287361c851 was submitted in the bgImgOpacityActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityContent request parameter is copied into the HTML document as plain text between tags. The payload 79d6f<script>alert(1)</script>a8d1c1087c9 was submitted in the bgImgOpacityContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityDefault request parameter is copied into the HTML document as plain text between tags. The payload d8c21<script>alert(1)</script>34a957472a0 was submitted in the bgImgOpacityDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityError request parameter is copied into the HTML document as plain text between tags. The payload 8c30a<script>alert(1)</script>8f51bf51bab was submitted in the bgImgOpacityError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHeader request parameter is copied into the HTML document as plain text between tags. The payload c2cf2<script>alert(1)</script>6fc6ab53cc7 was submitted in the bgImgOpacityHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHighlight request parameter is copied into the HTML document as plain text between tags. The payload 20da6<script>alert(1)</script>148b59b0503 was submitted in the bgImgOpacityHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityHover request parameter is copied into the HTML document as plain text between tags. The payload adddf<script>alert(1)</script>efcd2d69d27 was submitted in the bgImgOpacityHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityOverlay request parameter is copied into the HTML document as plain text between tags. The payload c8796<script>alert(1)</script>e82c1fa3989 was submitted in the bgImgOpacityOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgImgOpacityShadow request parameter is copied into the HTML document as plain text between tags. The payload 3bbcf<script>alert(1)</script>5c2068cb67e was submitted in the bgImgOpacityShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureActive request parameter is copied into the HTML document as plain text between tags. The payload 7943c<script>alert(1)</script>5b85df05f4e was submitted in the bgTextureActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureContent request parameter is copied into the HTML document as plain text between tags. The payload 23ac2<script>alert(1)</script>7ab3aebd3a was submitted in the bgTextureContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureDefault request parameter is copied into the HTML document as plain text between tags. The payload ef26d<script>alert(1)</script>aed52ae9598 was submitted in the bgTextureDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureError request parameter is copied into the HTML document as plain text between tags. The payload 8246e<script>alert(1)</script>e193d9c2737 was submitted in the bgTextureError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHeader request parameter is copied into the HTML document as plain text between tags. The payload a201a<script>alert(1)</script>bb7d36adf3b was submitted in the bgTextureHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHighlight request parameter is copied into the HTML document as plain text between tags. The payload 42800<script>alert(1)</script>197b07124e6 was submitted in the bgTextureHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureHover request parameter is copied into the HTML document as plain text between tags. The payload 4b7b1<script>alert(1)</script>981281a4f1 was submitted in the bgTextureHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureOverlay request parameter is copied into the HTML document as plain text between tags. The payload 51826<script>alert(1)</script>05369075768 was submitted in the bgTextureOverlay parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the bgTextureShadow request parameter is copied into the HTML document as plain text between tags. The payload 8f4d4<script>alert(1)</script>0d8e7da9b92 was submitted in the bgTextureShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorActive request parameter is copied into the HTML document as plain text between tags. The payload e455c<script>alert(1)</script>f14fbfd5217 was submitted in the borderColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorContent request parameter is copied into the HTML document as plain text between tags. The payload 486a3<script>alert(1)</script>334651bb09d was submitted in the borderColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorDefault request parameter is copied into the HTML document as plain text between tags. The payload 788fb<script>alert(1)</script>67297e189ba was submitted in the borderColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorError request parameter is copied into the HTML document as plain text between tags. The payload f918c<script>alert(1)</script>062f0580db6 was submitted in the borderColorError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHeader request parameter is copied into the HTML document as plain text between tags. The payload 2444c<script>alert(1)</script>12031a7a5b1 was submitted in the borderColorHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHighlight request parameter is copied into the HTML document as plain text between tags. The payload 6456d<script>alert(1)</script>154306ee43d was submitted in the borderColorHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the borderColorHover request parameter is copied into the HTML document as plain text between tags. The payload fce18<script>alert(1)</script>52d1a3f7398 was submitted in the borderColorHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadius request parameter is copied into the HTML document as plain text between tags. The payload c3d42<script>alert(1)</script>7894e4ccfcd was submitted in the cornerRadius parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadiusShadow request parameter is copied into the HTML document as plain text between tags. The payload 60ff1<script>alert(1)</script>75be290cc19 was submitted in the cornerRadiusShadow parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the cornerRadiusUnit request parameter is copied into the HTML document as plain text between tags. The payload d3c52<script>alert(1)</script>445d4d1b2e6 was submitted in the cornerRadiusUnit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the ctl request parameter is copied into the HTML document as plain text between tags. The payload 1442f<script>alert(1)</script>ef11e82e504 was submitted in the ctl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcActive request parameter is copied into the HTML document as plain text between tags. The payload 46429<script>alert(1)</script>0418f0c6ca5 was submitted in the fcActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcContent request parameter is copied into the HTML document as plain text between tags. The payload 79b56<script>alert(1)</script>cdf5961ed62 was submitted in the fcContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcDefault request parameter is copied into the HTML document as plain text between tags. The payload 652a9<script>alert(1)</script>a5ffbabd6c0 was submitted in the fcDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcError request parameter is copied into the HTML document as plain text between tags. The payload 3b3b2<script>alert(1)</script>3834a03bc29 was submitted in the fcError parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHeader request parameter is copied into the HTML document as plain text between tags. The payload 89669<script>alert(1)</script>12337c89220 was submitted in the fcHeader parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHighlight request parameter is copied into the HTML document as plain text between tags. The payload 12d09<script>alert(1)</script>bd625786f90 was submitted in the fcHighlight parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fcHover request parameter is copied into the HTML document as plain text between tags. The payload 226d6<script>alert(1)</script>a788d32d033 was submitted in the fcHover parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the ffDefault request parameter is copied into the HTML document as plain text between tags. The payload 8e61c<script>alert(1)</script>c5e6918d0b4 was submitted in the ffDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fsDefault request parameter is copied into the HTML document as plain text between tags. The payload c6879<script>alert(1)</script>2e34bfe9b51 was submitted in the fsDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fsDefaultUnit request parameter is copied into the HTML document as plain text between tags. The payload d7e55<script>alert(1)</script>d46f3bcddf7 was submitted in the fsDefaultUnit parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the fwDefault request parameter is copied into the HTML document as plain text between tags. The payload 9fe05<script>alert(1)</script>a3223e83584 was submitted in the fwDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorActive request parameter is copied into the HTML document as plain text between tags. The payload ea390<script>alert(1)</script>666eb3757be was submitted in the iconColorActive parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorContent request parameter is copied into the HTML document as plain text between tags. The payload f1be6<script>alert(1)</script>d3b6bd47496 was submitted in the iconColorContent parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Summary

Severity:

High

Confidence:

Certain

Host:

http://jqueryui.com

Path:

/themeroller/css/parseTheme.css.php

Issue detail

The value of the iconColorDefault request parameter is copied into the HTML document as plain text between tags. The payload d091e<script>alert(1)</script>c202334ef47 was submitted in the iconColorDefault parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.